from the please-explain dept

The ACLU has jumped into a troubling legal fight, in which it appears that the DOJ has issued gag orders against Twitter and Yahoo concerning grand jury subpoenas that have been sent to both companies. This case is one we mentioned last week where magistrate judge John Facciola asked the two companies to weigh in, as he appears unconvinced that the government's request is sound. However, the whole thing is happening under seal, which the ACLU feels is inappropriate, given the importance of allowing companies to respond freely to such requests, without being gagged.

The ACLU filed a motion last night seeking to represent the public's interest in open court proceedings when the government seeks gag orders on Internet companies. We know about the three cases only because the magistrate judge pushed back on the government, inviting Yahoo and Twitter to weigh in and ordering the government to make its legal arguments public. The government appealed those orders to a district court, where the judge ordered the appeals sealed. The ACLU is now moving to intervene in the district court for the purpose of opening these gag order proceedings to public scrutiny. In a democracy, if your government is going to gag someone from speaking, it should publicly explain why.

The federal government has an awesome array of tools and technologies in its investigative arsenal, and it often goes to great lengths to shield its tactics from outside scrutiny. Not only does this secrecy prevent people from challenging surveillance used against them, but it also means that elected officials can't openly debate the underlying policies, and communities can't discuss their government's actions.

Traditionally, gag order applications are considered ex parte – meaning with only the government's argument on the record before the court. However, Magistrate Judge Facciola noted that the government's request in this case raised controversial legal questions, and so invited Twitter and Yahoo to respond. (In one case, the government withdrew its gag order application after Judge Facciola invited Twitter's participation.) He also ordered the government file public copies of its gag order applications with limited redactions.

It's good to see at least some pushback on the feds' attempt to get information and to silence companies from saying anything about it. But it's still quite troubling that they seem to assume they have near free rein to do so in the first place. Kudos to the ACLU for stepping in as well, and representing the public interest.

from the won't-someone-think-of-the-data-harvesters? dept

Yahoo discovered, as many tech companies did last year, that they had been opted-in to broad surveillance programs operated by the NSA and GCHQ. While these companies had always responded to official requests coming through official channels (the sort of thing detailed in their transparency reports), they were unaware that these agencies were also pulling data and communications right off the internet backbone and tech company servers.

This left most companies with no way to opt out of these collections. With the global reach of these two agencies, along with the others in the "Five Eyes" surveillance network, there are very few ways to avoid becoming another tool in the surveillance state toolchest.

Following the Guardian's disclosures about snooping on Yahoo webcams, the company said it was "committed to preserving our users trust and security and continue our efforts to expand encryption across all of our services." It said GCHQ's activity was "completely unacceptable..we strongly call on the world's governments to reform surveillance law."Explaining the move to Dublin, the company said: "The principal change is that Yahoo EMEA, as the new provider of services to our European users, will replace Yahoo UK Ltd as the data controller responsible for handling your personal information. Yahoo EMEA will be responsible for complying with Irish privacy and data protection laws, which are based on the European data protection directive."

Under the Regulation of Investigatory Powers Act (RIPA), the UK government can force UK-based service providers to turn over data from their servers. Ireland, however, operates under European data privacy laws, not the UK's, which would theoretically help Yahoo hold onto its customers' data.

The potential loss of a large data source seems to have touched off a mini-panic within the intelligence community, which strongly suggested UK Home Secretary Theresa May take the internet company aside and discuss "security concerns."

[C]harles Farr, the head of the office for security and counter-terrorism (OSCT) within the Home Office, has been pressing May to talk to Yahoo because of anxiety in Scotland Yard's counter-terrorism command about the effect the move to Dublin could have on their inquiries...

"There are concerns in the Home Office about how Ripa will apply to Yahoo once it has moved its headquarters to Dublin," said a Whitehall source. "The home secretary asked to see officials from Yahoo because in Dublin they don't have equivalent laws to Ripa. This could particularly affect investigations led by Scotland Yard and the national crime agency. They regard this as a very serious issue."

Well, chances are RIPA won't apply, which would be the only reason these agencies are "concerned." They may have to go elsewhere to collect thousands of potentially naked webcam photos and videos. I'm sure the argument that terrorists will shift to Yahoo services as a result of the company's move is right around the corner. But the reality is that UK agencies will be forced to clear one additional minor hurdle before gaining access to the info it feels serves national security interests.

From Friday, investigators may have to seek information by using a more drawn out process of approaching Yahoo through a Mutual Legal Assistance Treaty between Ireland and the UK.

And how difficult can a "mutual assistance" process actually be? As we've seen detailed repeatedly since the leaks began, the world's intelligence communities enjoy relationships that range from "symbiotic" to "incestuous." That agency heads would feel the need to send a top government figure out to persuade Yahoo to stay within the easy reach of surveillance tentacles shows that these agencies love having tons of data, but really hate having to make the slightest amount of effort.

from the it's-a-lot dept

Last week, we noted that the DOJ and various internet companies had settled their legal fight, which concerned whether or not those companies could reveal the details of how many FISA Court requests they were receiving -- both in terms of how many requests they get and how many accounts are impacted. While Apple immediately released their information, showing very few users impacted, the real interest is in Google, Yahoo and to a lesser extent Facebook. Both Google and Yahoo have put out blog posts updating their transparency report numbers. It appears that both Yahoo and Google decided to go with "option 1" in the settlement, which lets them reports NSLs and FISA orders separately, but in bands of 0-999. The big question with both of them, really, was just how many "customer accounts affected" there would be, and both presented numbers (in slightly different formats). Google showed a historical listing:

Yahoo just shows the most recent:

If you remember, by choosing Option 1, the companies could actually show "customer accounts affected" -- if they had chosen option 2, they could only show targeted customers, leaving out others who were affected as well. But here we see that the number of accounts affected is much larger than the number of requests (though certainly much more limited than some assumed). That is, these requests (which make up a large part of the PRISM program) impact thousands of users, but not millions or "all" as some have claimed. There may very well be other NSA surveillance programs that get data from many more users, but not the FISA orders/PRISM.

Concerning the Google data, you can see that there's been a pretty big increase in the number of users impacted over the past few years, peaking at the end of 2012, but that drop in the beginning of 2013 may be just seasonal. Meanwhile, it's interesting to see that a much larger number of Yahoo accounts have been impacted. Of course, for all we know, there could have been one FISA order to Google and three to Yahoo and then the number of accounts impacted would be around 10,000 per order. But, without more granularity, it's impossible to tell.

What does seem clear is that there are about 40,000 accounts on Yahoo or Google to which the NSA/FBI and others in the intelligence community have access.

Microsoft, a major surveillance partner for the US government, received fewer than 1,000 orders from the Fisa court for communications content during the same period, related to between 15,000 and 15,999 “accounts or individual identifiers”.

The company, which owns the internet video calling service Skype, also disclosed that it received fewer than 1,000 orders for metadata – which reveals communications patterns rather than individual message content – related to fewer than 1,000 accounts or identifiers.

[....] Facebook disclosed that during the first half of 2013, it turned over content data from between 5000 and 5999 accounts – a rise of about 1000 from the previous six month period – and customer metadata associated with up to 999 accounts.

from the too-bad dept

It appears that the lawsuit that a bunch of big internet companies had filed against the NSA in an attempt to reveal just how often they get FISA court information requests and how many of their users are impacted is now over, as the government has reached a settlement with the companies, allowing them slightly more leeway in sharing information, but in a very limiting way.

Not too long ago, the government had started allowing companies to reveal, for the first time, how many national security letter (NSL) requests they get, but said they had to reveal that number in ranges of 1,000 starting with 0 to 999. However, they did not allow any such reporting on FISA Court (FISC) orders, which covered things like the now infamous PRISM program under Section 702 of the FISA Amendments Act. It appears that the settlement more or less follows the outline of what the government allowed with NSLs. Companies are given two options. One is to basically report FISC requests like NSL requests, in bands of 1,000, and to similarly report "number of customer accounts affected" for NSLs, "FISA orders for content," "number of customer selectors targeted under FISA content orders," "FISA orders for non-content," and "number of customer selectors targeted under FISA non-content orders." All of those can be revealed separately, but always in bands of 1,000, starting with 0 to 999.

Alternatively, if companies are willing to lump these various programs together, they are allowed somewhat more granularity. So, if they lump together NSLs and FISA orders into a single number, they can reveal the details in bands of 250, starting with 0 to 249. Similarly, they can list the lumped together "customer selectors targeted" under combined NSLs and FISA orders in bands of 250.

"Asking the public and policymakers to try to judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow: only the grossest and most obvious problem, if even that, will be ever be evident."

Among the problems here, are that while they can reveal the number of customer accounts impacted for NSLs, that's not what they can do with FISC orders. Instead, they can only reveal "customer selectors targeted." That can be very different. You can imagine a "customer selector" that impacts many, many user accounts. And that's what many people are worried about -- and with this agreement, we won't actually know.

Furthermore, the agreement has a ridiculous clause that says if a FISA court order covers a "new capability" (i.e., getting access to a service that previously was not being tapped by the NSA/FBI), the companies cannot share that information for two years. The thinking here is rather obvious. Say, for example, a company launches a new voice communications service, like Skype -- and then gets hit with a FISA court order demanding that the NSA be able to listen in. The companies would be blocked from revealing that for two years. Clearly, the idea is to keep people from knowing how quickly the NSA is able to tap into any new form of communication, but that also opens up plenty of opportunities for the NSA to abuse its powers.

There is still some indication that Congress may require greater transparency here. I can understand why the tech companies agreed to settle, but it's a bit disappointing that they threw in the towel so quickly.

Since they're doing ranges of 250, they're clearly lumping together both national security letters and FISC orders as "national security orders" though that's a bit confusing. Also, I don't think Apple is actually allowed to say "total accounts affected" from the terms of the agreement. When it comes to FISC orders, they can only list "customer selectors targeted," and saying "accounts affected" would suggest more information than the agreement appears to allow. Still, the obvious suggestion is that the government isn't requesting that much information directly from Apple, though other reports suggest it gets plenty of information, not directly via Apple, but by hacking their way into iOS devices....

from the bitcoin-mining-scams-on-the-rise dept

A decade ago, it was actually fairly common to see various "distributed computing" projects seek to put a variety of people's computers to use to tackle tough problems -- and sometimes those distributed efforts involved clearly revealed and transparent code within other applications. A couple years ago, just as Bitcoin was first starting to get attention, I remember hearing from someone who was talking about trying to build a media player that would look to offer licensed/authorized content in exchange for quietly being a part of a Bitcoin mining effort. Nowadays, it appears that this idea of creating secret distributed Bitcoin mining is taking on a somewhat more questionable reputation. A gaming software company was whacked with a $1 million fine after (the company claims) a "rogue employee" included some Bitcoin mining hidden within their app. There have been accusations that a number of other apps out there are also secretly mining bitcoin.

Just recently, we noted that Yahoo users in Europe were exposed to malicious ads that were downloading malware. It's now come out that the malware was... Bitcoin mining software, which sought to use some of everyone's excess computing resources to hunt for more Bitcoin. As "malware" goes, this is actually a lot less damaging than some other stuff out there (keyloggers designed to steal bank info, for example). It likely would bump up electricity bills slightly for some users, and basic PC mining is pretty ineffective, but it's interesting to see that malware folks are taking such extreme steps to try to build secret Bitcoin mining networks.

Of course, it still seems like doing this kind of thing in an upfront way might be an interesting business model: offer some useful software for free, telling folks very clearly that the "payment" is that they'll be using some of your spare cycles for mining. Of course, it might be better if this was done for cryptocurrencies that weren't so damn inefficient with electricity -- something like Peercoin instead of Bitcoin, for example. I imagine it's really only a matter of time. Imagine a Netflix/Hulu competitor that offered you the content for free, in exchange for distributed computing power, paying the licenses out of the proceeds from the mining. It's not that crazy when you think about it...

from the it's-not-almost dept

Steven Levy, who specializes in massive articles looking into aspects of the tech industry, has a new one for Wired, called How the NSA Almost Killed the Internet. It basically looks at how the NSA legally coerced the tech companies into having to comply with certain court orders to hand over information, and how the tech companies have been gagged from explaining what's going on. And then... he gets the NSA's side of the story. Much of what's in there is stuff that you probably already know (especially if you read Techdirt regularly), but I wanted to call out a few tidbits that I hadn't seen or heard anywhere else before:

Google doesn't charge the government for requests for information:

FISA requires the government to reimburse companies for the cost of retrieving information. Google says it doesn’t bother to charge the government. But one company says it uses that clause, hoping to limit the extent of the requests. “At first, we thought we shouldn’t charge for it,” says an executive of that company. “Then we realized, it’s good—it forces them to stop and think.”

This is kind of a "damned if you do/damned if you don't" situation. I know plenty of folks in the civil liberties community go back and forth on it. When companies do charge, then you see articles about how companies are "making a profit" off of violating our privacy. If they don't charge, then you see arguments about how they're making it too easy for the government to get info. Either way, the standard has been to charge basic costs, so it's interesting to see that Google doesn't charge at all, probably betting on the fact that if they did, it would be misrepresented. Of course, the fact that they don't might be misrepresented as well.

The NSA has no response to fear of future abuse of programs beyond "we'd never do that." Seriously.

Critics charge that while there is not yet any evidence of massive abuse of the NSA’s collected data, there is also no guarantee that a future regime won’t ignore these touted protections. These officials discounted that possibility, saying that the majority of NSA employees wouldn’t stand for such a policy. “If that happened, there would be lines at the Inspector General’s office here, and at Congress as well—longer than a Disneyland line,” Ledgett says. (The fates of several NSA employees-turned-whistleblowers indicate that anyone in that hypothetical queue would be in for a ride far wilder than anything in Anaheim.)

Sure, except there's a very long history of the NSA and the FBI doing exactly the opposite (the claim of no evidence of massive abuse is not actually true). And, as Levy notes in that final parenthetical, the way whistleblowers are treated these days would probably shorten that line quite a bit.

Keith Alexander admits that companies were compelled to comply and admits that we should stand up for the companies not to be harmed by all of this:

“This isn’t the companies’ fault. They were compelled to do it. As a nation, we have a responsibility to stand up for the companies, both domestically and internationally. That is our nation’s best interest. We don’t want our companies to lose their economic capability and advantage. It’s for the future of our country.”

Those words could have come from a policy spokesperson for Google, Facebook, Microsoft, or Yahoo. Or one of the legislators criticizing the NSA’s tactics. Or even a civil liberties group opposing the NSA. But the source is US Army general Keith Alexander, director of the NSA. Still, even as he acknowledges that tech companies have been forced into a tough position, he insists that his programs are legal, necessary, and respectful of privacy.

This is just bizarre. If he doesn't want the companies to lose their economic capability and advantage, maybe he shouldn't have undermined a large portion of it.

Companies were given about 90 minutes to respond to the (misleading) claims in the original PRISM article that they had given the NSA direct access to their servers.

“We had 90 minutes to respond,” says Facebook’s head of security, Joe Sullivan. No one at the company had ever heard of a program called Prism. And the most damning implication—that Facebook and the other companies granted the NSA direct access to their servers in order to suck up vast quantities of information—seemed outright wrong. CEO Mark Zuckerberg was taken aback by the charge and asked his executives whether it was true. Their answer: no.

Similar panicked conversations were taking place at Google, Apple, and Microsoft. “We asked around: Are there any surreptitious ways of getting information?” says Kent Walker, Google’s general counsel. “No.”

This remains one of the most unfortunate bits about the Snowden leaks. While I think that Barton Gellman, Glenn Greenwald and Laura Poitras have done an incredible job with most of their reporting, the original PRISM stories that appeared in the Washington Post and Guardian both came out rushed and were misleading, which is still impacting how people are reporting on these things today. The PRISM program and Section 702 of the FISA Amendments Act have serious issues that need exploring, but it's all been distorted by the misleading initial claims, which implied things that just weren't true.

The NSA claims it uses the very same encryption that it tries to push everyone else to use. Yes, the same encryption that Snowden docs have revealed was compromised by the NSA.

And the NSA insists that, despite the implications of those Snowden-leaked documents, it does not engage in weakening encryption standards. “The same standards we recommend are the standards we use,” Ledgett says. “We would not use standards we thought were vulnerable. That would be insane.”

Sorry, but no one believes that one at all. The clear takeover by the NSA of NIST standards shows that's clearly not true.

The NSA still doesn't realize how serious all of this is. They still think it's just been blown out of proportion.

They understand that journalism conferences routinely host sessions on protecting information from government snoops, as if we were living in some Soviet society. And they are aware that multiple security specialists in the nation’s top tech corporations now consider the US government their prime adversary.

But they do not see any of those points as a reason to stop gathering data. They chalk all of that negativity up to monumental misunderstandings triggered by a lone leaker and a hostile press.

Patent troll Nathan Myhrvold is also completely clueless about national security:

Former Microsoft research head Nathan Myhrvold recently wrote a hair-raising treatise arguing that, considering the threat of terrorists with biology degrees who could wipe out a good portion of humanity, tough surveillance measures might not be so bad. Myhrvold calls out the tech companies for hypocrisy. They argue that the NSA should stop exploiting information in the name of national security, he says, but they are more than happy to do the same thing in pursuit of their bottom lines. “The cost is going to be lower efficiency in finding terrorist plots—and that cost means blood,” he says.

This is stupid on so many levels. First, the old argument that it's somehow equivalent of tech companies and the NSA to make use of information -- a claim that Levy ridiculously repeats multiple times in his article -- is a line that has been debunked so many times it's really beneath Levy to give it any life at all, let alone refuse to point out how stupid it is. Companies provide a direct service to users, and they make a decision: If I give this information, I get this service in return. It's a decision made by the consumer, and a trade-off where they decide if it's worth it. We can argue that people should have more information about the costs and benefits, but it's still a trade-off where the final decision is their own. The NSA, on the other hand, is not providing a choice or a trade-off. They're just taking everything in exchange for nothing. And, oh yeah, they have guns and can put you in jail -- something no company can do.

Second, Myhrvold incorrectly buys completely the line that all this data collection has been helpful in stopping terrorists. There's just one problem: there is no evidence to support that. Besides, based on his idiotic reasoning, we might as well just do away with pretty much all our rights. For example, I'm pretty sure that we could all have protected Myhrvold more completely if there were video cameras streaming video of everything he did within the privacy of his own home, cars, office or just walking around, right? We could certainly make sure that no one was attacking him or, better yet, that he wasn't about to attack anyone. The cost of not spying on every moment of Nathan Myhrvold might mean "blood." So, based on his own logic, we should violate his privacy, right?

All in all there's a lot in the article that's worth reading, but those were a few key points that really stood out.

from the disable-java dept

There has been an unfortunately long history of malware attacks via ad networks, often created by hacking into networks, but sometimes just by sneaking in a legitimate-looking ad that that is able to then sneak in an exploit. Over the weekend, it came out that hundreds of thousands of Yahoo users in Europe were exposed to ads that automatically tried to install malware as part of an attempt to build a botnet. The exploit used security holes in Java (not Javascript, which, once again, we need to remind people is entirely different). It's long been recommended that you turn off Java completely in your browser, so this is yet another reminder.

Still, for a company the size of Yahoo, this is pretty embarrassing. You expect smaller companies to get hit by this sort of thing. Yahoo is supposed to be better than that. Coming so soon after the company could barely seem to keep its email products online, suggests a company that is really struggling on the tech side. Of course, this shouldn't be a huge surprise. We'd noted back when Yahoo decided to go all patent trolly and sue Facebook that it was going to damage its reputation. It's tough to keep good techies around when you do things like that, and perhaps Yahoo could use a few good techies right about now.

Schmidt, of Google, opened the meeting and laid out industry officials' concerns. Obama seemed sympathetic to the idea of allowing more disclosure of government surveillance requests by technology companies, according to a tech industry official who was briefed on the meeting. The official asked to remain anonymous because the meeting was private.

Mayer, the Yahoo! executive, brought up concerns about the potentially negative impact that could be caused if countries, such as Brazil, move forward with legislation that would require service providers to ensure that data belonging to a citizen of a certain country remain in the country it originates, the official said.

That would require technology companies to build data centers in each country — a costly problem for American Internet companies, the official said. The White House noted in a statement after the meeting that the group discussed the "economic impacts of unauthorized intelligence disclosures."

We've been saying since the Snowden leaks first came out that the tech industry needed to be a lot more vocal about how bad the NSA's actions are for pretty much everyone, so it's good to see at least some effort to continue to push that story. Of course, the list of attendees also includes AT&T's Randall Stephenson -- and AT&T has been one of the companies most complicit in the NSA's activities, something the company refuses to talk about, and unlike the actual tech companies, seems completely unwilling to address.

from the because dept

As you may recall, in the ongoing lawsuit by various tech companies against the government, in which they're seeking to reveal some rather basic details about how many surveillance data requests they get and how many users are impacted, much of the feds' brief was redacted... even to the tech companies. The companies argued, quite reasonably, that it was crazy to make them fight a legal battle in which the DOJ could make arguments that the companies themselves couldn't see or respond to. They asked the FISA Court to either let them see the arguments or to remove them from the case.

The Government's public brief meets and exceeds the requirements of Rule 7(j). The rule clearly provides that submissions to the Court "which may include classified information" will be reviewed by the Court "ex parte and in camera" and that adversarial parties will receive only "an unclassified or redacted version" which "clearly articulate[s] the government's legal arguments." Rule of Procedure 7(j). Not only does the Government's public brief "clearly articulate the government's legal arguments," the legal arguments are fully disclosed. The redacted information contains no additional legal arguments, no case citations, and no discussion of statutory or other law.

Of course, that raises other questions. If the redacted portions (which are fairly large) don't raise legal arguments, then what are they doing?

The government also argues that the executive branch gets the right to determine what to redact and the court should defer to the government on such things:

... this Court does not independently review Executive Branch classification decisions.... Executive Branch classification decisions are entitled to "the utmost deference"... and that such deference is especially appropriate where the Executive Branch bases its classification decision, as here, on a review of all pertinent information, including whether disclosure of the data in the manner proposed by the companies would risk filling out the mosaic of information available to our adversaries in their efforts to assess and avoid our surveillance capabilities.

And so we're back to the "mosaic theory," in which the feds argue they can redact stuff out of a fear that a bunch of random info can be put together by bad people to figure out more than the feds want to reveal. But... that makes no sense here. The companies are asking at this point that their own lawyers be able to see the arguments, not necessarily that the details be made public. The court could easily seal the filings from the public while letting the companies' lawyers see it.

from the wave-that-magic-wand dept

Every so often it seems like a completely, technologically (and basic concept of properly applied liability) ignorant court does something like what a French court did last week. The High Court of Paris says that Google, Microsoft and Yahoo need to completely delist 16 full sites from their index -- even to sites hosting perfectly non-infringing works. This, of course, was the dream of SOPA: that search engines would have to make sites completely disappear based on their say-so that the sites were "pirate" sites. But reality doesn't work that way for a variety of reasons. Sites that have significant infringing uses at one time, also have significant non-infringing uses, and as the technology develops, they tend to increase the non-infringing uses. The VCR, for example, was mainly used to copy works in unauthorized ways when it was first launched -- but part of the problem was the refusal of the industry itself to embrace the new technologies. Yet, now the court is killing even that possibility -- so creators who want to make use of these platforms to promote themselves are completely out of luck, because the more powerful legacy industry lobbyists got a court to basically kill off those platforms.

As we noted last week, this SOPAfication of the world is increasingly the goal of the entertainment industries, and they've been having a lot of success in Europe, where sympathetic lawmakers and courts don't seem to recognize how they're propping up an industry that doesn't want to adapt, while striking a blow against two important things: disruptive new innovations and the concept of secondary liability.

Search engines aren't there to help people find what the legacy industries want them to find. They're designed to help the searcher find what that searcher wants. Telling those search engines they can't do that, and that they have to point to what some other industry wants, sets a very dangerous precedent. Letting legacy industries effectively program search engines to their liking pretty much guarantees limited innovation, both by stopping those innovative new platforms from gaining traction, while at the same time convincing the legacy players that they can continue to rest on their laurels.